Buying free stuff online ain’t that the dream of today’s generation. I know that cause I am that person who buys everything online, every single thing in my apartment is bought on e-commerce website, trust me everything. We are in a generation where e-commerce has boomed so rapidly that there is no stopping it. Alibaba has set a new record with more than $30.8 billion in sales in just 24 hours, just give that a moment to settle in.
Yet the mechanism behind all these transactions taking place is just bits of information flowing all over giant interconnected web of devices, we call as internet. Anyone who understands the science behind how these transactions take place can figure out a way to shop online forever and that too free of cost.
Let’s dig in!
Most of the security personnels reading the article might be thinking it is just a clickbait but I just want you to keep your mind open and follow through as I explain to you the three level of difficulties in which you can hack a payment gateway for a e-commerce brand.
- The easy way
- The tricky way
- The next to impossible way
These three points they are the stepping stones to hack and being able to manipulate any payment gateway.
1. The easy way
Now this is the easiest way you can manipulate the amount of the product that you are buying. So this is when the cost / amount of the product is present in the hidden element of the form in the HTML page. So, while we are choosing a item that we are planning to buy the price of the item gets added to the total amount of the product and that price is taken from the hidden field that gets filled into the form and then presented as the grand total.
How to bypass it -
To change the price of the product all you have to do is to change it in the hidden form field where the price is mentioned before adding the product to the cart. In this way the actual price is never added to the cart and you can buy the product literally for free.
2. The tricky way
This is the second way of how to manipulate the amount of the product that you are buying online and change the price to your liking. So, in this process we use a intercept tool like Burp Suite. The price isn’t in the hidden field in the form, so we can’t change it like the way before and we add the product to the cart.
How to bypass it -
So, once we are at the payment gateway we turn on the intercept and manipulate the cost manually in the packet we just intercepted. After editing the price in the intercepter we then forward the packet and just like that we have ourselves our another free product.
3. The next to impossible way
The people who have been working with payment gateways and online transaction, the steps leading till here might be well known to them and they must have had security in place which might have taken care of the vulnerabilities I just mentioned above. The most well known way to protect from these vulnerabilities is to use a hash.
Hashes are used as a method to check the integrity of the message that has been sent over from the e-commerce website to the payment gateway. The hash and the other values including the price of the product is then send over for verification and if the hashes before and after the payment gateway matches only then transaction is allowed.
How to bypass it -
This is the method that most of the security vendors consider to be secure, the problem arise when you start to dig a little deeper and begin to focus on one e-commerce website at a time.
The first that you learn as a hacker, is never to give up and find a solution no matter how crazy it is. So, I started digging regarding the hash and how they formulate it. To make things easier for the developers to integrate their e-commerce website with the payment gateway these companies publish articles in the public domain regarding how they formulate the hash and other details.
A little bit of reconnaissance and you can find these documentaion i.e. the parameters that are involved and the hashing technique they use in creating the hash. Now once you have the required parameters most of them are present in the packet you have intercepted, mostly one of the parameters is the password that is also utilised, which is known only to the e-commerce admin.
So the next step is to put together the parameters and either brute force or use a dictionary attack to find that password and once you do then you can create your own hash according to the modified price of the product that you change it to and buy unlimited free products from that vendor as long as they don’t change the password.
This step is really difficult, but some of the developers just copy the code with the same password as it is in the documentation and thus leading to this security vulnerability and allowing to buy free online products.
Every security vulnerability that I just exposed and showed above are caused due to the lack of awareness in the developers where they are unaware of the security risks of their code and how it can cost the company thousands or even million of dollars worth of damage.
If the developers focus more on the security perspective of things and keeping secure coding in mind more than 90% of the errors can be solved straight away and no security risk will arise.